Description |
This article describes the case when using a VIP, the scan of the VIP external address with nmap shows that many ports are open. |
Scope | FortiGate 7.0, 7.2, and 7.6. |
Solution |
Example VIP configuration:
config firewall vip edit "test-vip" set uuid e16d0128-b55a-51ee-3173-f768c070d037 set extip 192.168.72.15 set mappedip "192.168.32.15" set extintf "any" next end
Example policy configuration:
edit 5 set name "test-vip" set uuid f8362f38-b55a-51ee-123b-5881aa9e1569 set srcintf "port3" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "test-vip" set schedule "always" set service "HTTP" "HTTPS" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "CNSA-DI-Inbound-V3" set file-filter-profile "Monitor-Exec-And-Archives" set ips-sensor "CNSA-IPS" set application-list "CNSA-Block-Weak-SSL-TLS-and-Monitor" set logtraffic all next end
Example nmap scan:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-22 14:22 Eastern Standard Time NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 14:22 Completed NSE at 14:22, 0.00s elapsed Initiating NSE at 14:22 Completed NSE at 14:22, 0.00s elapsed Initiating NSE at 14:22 Completed NSE at 14:22, 0.00s elapsed Initiating ARP Ping Scan at 14:22 Scanning 192.168.72.15 [1 port] Completed ARP Ping Scan at 14:22, 0.10s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:22 Completed Parallel DNS resolution of 1 host. at 14:22, 0.01s elapsed Initiating SYN Stealth Scan at 14:22 Scanning 192.168.72.15 [65535 ports] Discovered open port 80/tcp on x.x.x.x Discovered open port 443/tcp on x.x.x.x SYN Stealth Scan Timing: About 21.64% done; ETC: 14:24 (0:01:52 remaining) SYN Stealth Scan Timing: About 51.10% done; ETC: 14:24 (0:00:58 remaining) Discovered open port 8015/tcp on x.x.x.x Discovered open port 8010/tcp on x.x.x.x Completed SYN Stealth Scan at 14:24, 103.10s elapsed (65535 total ports) Initiating Service scan at 14:24 Scanning 4 services on 192.168.72.15 Service scan Timing: About 25.00% done; ETC: 14:27 (0:02:18 remaining)
It is necessary to set the specific ports in the VIP:
config firewall vip
It can be necessary to set many VIPs if many ports open to the same address are desired. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.